Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy in Context: Contextual Integrity Peter Radics Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Papers H. Nissenbaum. Privacy as contextual integrity. Washington Law Review, 79(1):119–158, A. Barth, A. Datta, J. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: framework and applications. In Security and Privacy, 2006 IEEE Symposium on, pages 15 pp.–198, May Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Privacy Scenarios Public Records Online Local vs. Global access of data Consumer Profiling and Data Mining Aggregation/analysis of data vs. single occurrence RFID Tags Automated capture of enhanced/large amounts of information Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Current Practice in Law Three guiding principles: 1. Protecting privacy of individuals against intrusive government agents 1 st, 3 rd, 4 th, 5 th, 9 th, 14 th amendments, Privacy Act (1974) 2. Restricting access to sensitive, personal, or private information FERPA, Right to Financial Privacy Act, Video Privacy Protection Act, HIPAA 3. Curtailing intrusions into spaces or spheres deemed private or personal 3 rd, 4 th amendments Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Grey Areas of the Three Principles USA PATRIOT Act Credit headers Private vs. public space Online privacy at the workplace Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Principles and Public Surveillance Public surveillance not covered by principles No government agents pursuing access to citizens No collection of personal/sensitive information No intrusion personal/private spaces No privacy problems!
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Reasonable Expectation of Privacy Extension to principles 1. Person expects privacy 2. Expectation deemed reasonable by society But: Yielding privacy in public space!
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Downsides of Three Principles Not conditioned on additional dimensions Time, location, etc. Privacy based on dichotomies Private – public, sensitive – non-sensitive, government – private, …
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Contextual Integrity: Idea Main idea: Everything happens within a certain context Context can be used to provide normative account of privacy
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Contextual Integrity: Corner Stones Contextual Integrity based on two corner stones: Appropriateness Norms about what is appropriate within context Norms about what is not appropriate within context Allowable, expected, demanded information Distribution Norms about information flow Free choice, discretion, confidentiality, need, entitlement, obligation
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Concerns Could be detrimentally conservative Loses prescriptive character through ties to practice and convention Favors status quo
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Solution Distinguish actual and prescribed practice Grounds for prescription can vary between different possibilities Norms can change over time/locations
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Change of Norms Compare current with proposed norm, compare social, political, and moral values Affected Values: Prevention of information-based harm Informational inequality Autonomy and Freedom Preservation of important human relationships Democracy and other social values
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Scenarios (revisited) Public Records Online Local vs. Global access of data Consumer Profiling and Data Mining Aggregation/analysis of data vs. single occurrence RFID Tags Automated capture of enhanced/large amounts of information
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Second paper Formalization of Contextual Integrity: Linear Temporal Logic Agents P, attributes T, computation roles (t,t') Knowledge state Messages M, k -> p,q,m -> k', k' := k U q x content(m) Roles R, contexts C (partition of R) Role state Trace: sequence of triples (k, p, a)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Temporal Logic Grammar
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Model Checking Consistency Entailment Compliance
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Example: HIPAA
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Comparison to Other Models
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Discussion What are strengths/weaknesses of Contextual Integrity? Is a formal model of Contextual Integrity useful? How can an end-user benefit?